Gramm-Leach-Bliley Act for Financial Aid Val Meyers Associate Director Michigan State University
GLB Act – who is affected Federal Trade Commission Regulation Applies to all institutions that act in a banking capacity Applies to universities that make loans and/or do loan collections This includes Perkins Loans, institutional loans, and “school-as-lender” FFELP
GLB Act – what it means Requires institutions meet standards related to safeguarding customer financial information Deadline for compliance was 5/23/03 Two major areas Privacy of information Safety of information
Privacy of Information Universities who abide by FERPA are meeting the criteria to protect information privacy FERPA – Family Educational Rights & Privacy Act Protects the privacy of all student educational records, including financial information
FERPA Requirements You should have a written policy in place Staff should have periodic training Exceptions are “need to know” within the institution Audits Law enforcement with proper legal documents Financial servicers or partners (i.e., loan servicers, collection agencies)
FERPA Extended To comply with GLB, financial information for non-students must also have privacy protection Apply FERPA policies to parents and anyone else for whom you make loans
Safety of Information Natural Disaster Human Error Deliberate Fraud Corruption of Data Theft of Hardware, Software, Reports Unauthorized Access
Safety of Information Natural Disaster Backups in remote locations Human Error Audit trails, reports Deliberate Fraud Separation of Duties
Safety of Information Corruption of Data Secured Access Anti-virus software Firewalls & hacker protection
Safety of Information Theft of Hardware, Software, Reports Secure during non-business hours Work areas require escort Documents control Shred discards Keep unauthorized visitors away from documents
Safety of Information Unauthorized Access Password access Anti-hacker software Policies on who may receive reports and files from your office Privacy shields on computers
Task Force Concerns Involve all offices who handle student loan or collections data Financial Aid Bursar/Controller Information Technology/Computer Systems Recommended addition University Counsel
Designate a Compliance Office or Officer Each institution must designate a compliance office or officer who is responsible for holding and monitoring compliance documents
Risk Assessment Documentation List each privacy and safety concern Address how your institution minimizes each risk Documents should be on file from each office that “touches” the data Third party servicer contracts should contain protective language as well
Contract Language University Counsel should recommend contract language to be inserted in all university contracts with 3 rd party vendors who have access to your student/parent financial loan data The deadline to add such language to your contracts was May 2004
Recommended Office Policies Place all student-specific documents in shredding bins Verify identity of students & parents before sharing data Refer 3 rd party requests to your designated staff May be Compliance Officer, AD or Director Report computer problems promptly
Other Office Policies Staff must not share passwords Lock or power down computers when leaving work area Shield computer screens and data from other students Do not leave visitors unattended
Questions & Answers Val Meyers Michigan State University